| | | | | | | | | | | Axios Codebook | | By Sam Sabin · Feb 06, 2024 | | Happy Tuesday! Welcome back to Codebook. Today's newsletter is 1,486 words, a 5.5-minute read. | | | | | | 1 big thing: Small spyware companies are a big problem |  | | | Illustration: Brendan Lynch/Axios | | | | The commercial spyware industry is booming, and many of the most dangerous players are small companies no one has heard of, Google warns in a report released today. Why it matters: The Biden administration, civil rights groups and other governments have spent years trying to squash abuses of commercial spyware — yet some of those same governments are still buying into the industry. Driving the news: Google's Threat Analysis Group (TAG) released a paper today detailing how smaller spyware vendors have started to dominate the underground market. - Often, media attention is given to some of the bigger players, including NSO Group and Intellexa. These are often companies that are open to talking with reporters and have been the subject of several news investigations.
- But TAG is currently tracking roughly 40 commercial spyware vendors, many of whom have never been publicly exposed, Maddie Stone, a security researcher for Google TAG, tells Axios.
The big picture: Commercial spyware includes malware that's installed on a victim's phone and allows attackers to surveil someone's calls, emails and text conversations. - Some of the most insidious types of spyware can be installed on someone's phone without them even having to click on a malicious link. Just successfully delivering a text message can lead to installation.
- Those using spyware often target high-risk groups, such as politicians, political dissidents, human rights activists and journalists.
What they're saying: "Most people on this planet don't need to be worried about them being individually hacked with these tools, yet it still affects us all," Stone tells Axios. - But if political figures are being targeted, Stone adds, that "calls into question free and fair elections and affects us as a society."
Between the lines: Governments worldwide have continued to buy into the commercial spyware market, despite growing efforts to crack down on vendors who sell to those abusing the technology, Stone says. - The paper released today is intended as a call to action for governments, the tech industry and civil rights groups to work together to make it more difficult for commercial spyware vendors to operate.
Details: Underreported vendors mentioned in the report include Cy4Gate, Negg Group and Variston. The intrigue: 35 of the 72 hacking tools that Google researchers saw actively targeting unpatched flaws in Google's products from mid-2014 through 2023 were created by spyware vendors — making them one of the top contributors to the dark web's zero-day market, per the report. - That estimate is based only on known hacks targeting zero-day vulnerabilities, so it's likely that a larger percentage can be traced back to vendors, the report notes.
Be smart: Researchers and government officials have recommended that those who could be spyware targets reboot their devices frequently to remove any spyware that an attacker or government may have installed. |     | | | | | | 2. Exclusive: Helping domains stop child abuse |  | | | Illustration: Shoshana Gordon/Axios | | | | A new partnership shared first with Axios is promising to help domain registries crack down on the spread of child sexual abuse materials (CSAM). Why it matters: Those who host CSAM often hop between various domains, and not all top-level domain registries have the resources to pay for tools that could help them better detect when hosts change websites. - The partnership between the Public Interest Registry (PIR) and the Internet Watch Foundation (IWF) hopes to democratize some of the most premium detection tools.
What's happening: The PIR will soon start paying to give registries free access to two IWF tools that track where CSAM materials are shared. - One tool is Domain Alerts, which provides alerts to registries if they're hosting a domain that's sharing CSAM.
- The other is access to the Top-Level Domain Hopping List, where the IWF tracks when a website operator changes domain names to circumvent detection.
The big picture: Currently, only a dozen registries take advantage of the two IWF tools, according to a joint press release announcing the partnership. - Registries are the organizations that operate domain name spaces, such as .com, .org and so on. Registries then sell access to those domains via retailers like GoDaddy and Namecheap.
- The Internet Corporation for Assigned Names and Numbers (ICANN) lists well over 1,500 top-level domains that are available today.
What they're saying: "All of the dot-com, all of dot-net, there are thousands now — there's everything from dot-food to dot-kids," Jon Nevett, CEO of the PIR, told Axios. - "We're going to sponsor any registry that's not currently getting the alerts from IWF. We're going to sponsor them to do that for free," he said.
Between the lines: Similar to other cybercriminal sites, those sharing CSAM online often will just change the domain of their website once they're detected — although the IP address remains the same. - For example, someone could easily change their site from BadAbuseSite[.]com to BadAbuseSite[.]de to sidestep a complete removal.
- And because the domain registry that runs .de websites is smaller, it might not have the financial resources to pay for the IWF's tools.
What's next: Domain name registries interested in participating in the program can reach out to the IWF to enroll. | | | | | | | | 3. Execs, government officials support SolarWinds |  | | | Photo: Suzanne Cordeiro/AFP via Getty Images | | | | The U.S. Chamber of Commerce, security executives and prominent former government officials filed a set of amici curiae briefs late Friday in support of SolarWinds in its case against the U.S. Securities and Exchange Commission. Why it matters: The signatories include former national cyber directors Chris Inglis and Kemba Walden, Activision Blizzard CISO Brett Wahlin, and former Clorox CISO Amy Bogac. What's happening: The following groups submitted briefs asking the U.S. District Court for the Southern District of New York to dismiss the SEC's case against SolarWinds and its top security executive, Timothy Brown: - The Chamber of Commerce and the Business Roundtable
- BSA, a tech lobby that represents enterprise software companies
- A group of more than 30 current and former security executives
- The Cyber Governance Alliance, the GlobalCISO Leadership Foundation, the Internet Security Alliance, and other cybersecurity consulting groups
- A group of 21 former government officials
Catch up quick: In October, the SEC filed a first-of-its-kind complaint alleging that SolarWinds and Brown presented misleading and false statements about the company's cybersecurity risks and practices from October 2018 to "at least" Jan. 12, 2021. - SolarWinds was the main target in an extensive Russian cyber espionage campaign in late 2020.
- Last week, SolarWinds filed a motion to dismiss the SEC's case.
What they're saying: "Never before has the SEC sued the victim of a nation-state cyberattack; sued a company for securities fraud based on the company's cybersecurity disclosures; or sought to hold an individual personally liable for those disclosures," the BSA wrote in its filing. In a statement, Serrin Turner, an attorney at Latham & Watkins who is representing SolarWinds, said the company is "grateful" for the new briefs. - The briefs "highlight that the SEC's positions in this case are not only unsupported by the law but raise serious security concerns for companies, CISOs, and the public at large," Turner said. "We remain confident that SolarWinds' disclosures at all times were appropriate, and the SEC's assertions otherwise are fundamentally flawed."
Between the lines: Many of the briefs express concern that the SEC's case will have a chilling effect on companies and government offices that can help during an active cyberattack. The intrigue: The Chamber of Commerce and the Business Roundtable argued that if the SEC wins this case, it will set a precedent that allows the agency to prosecute any company that doesn't adhere to its own internal policies. - "The SEC's interpretation creates profound uncertainty for the members of the Chamber and Business Roundtable because it suggests a standard that is virtually impossible to meet and discernible only in hindsight," the two business groups said in their filing.
Of note: Security leaders also expressed concern that the charges could hinder their ability to even talk with their teams about potential problems within their company's networks. - "Maintaining any organizational policy involves identifying and rectifying deficiencies, and candid discussions between CISOs, their teams, and organizational leadership are essential for any cybersecurity program seeking to mitigate risk," the executives wrote in their brief.
The other side: An SEC spokesperson declined to comment "beyond the public filings or our recent statement on this matter." | | | | | | | | A message from Axios | | Your trusted source for policy news | | |  | | | | Axios Pro: Policy takes you into the halls of Congress, with an insider's look at the Hill and everything happening. Subscribe today. | | | | | | 4. Catch up quick | | @ D.C. 🪖 Gen. Timothy Haugh has officially started as the new leader of U.S. Cyber Command and the National Security Agency. (DefenseScoop) @Industry 👔 Cybersecurity startup Wiz has hired Dali Rajic, former chief operating officer at Zscaler, as president and COO. (Reuters) 📈 Palantir reported $608.4 million in revenue during its fourth-quarter earnings, beating analysts' expectations of $602.4 million. (CNBC) @ Hackers and hacks ⚠️ Remote desktop software provider AnyDesk has revoked all security-related certificates and has reset passwords after a recent cyberattack. (TechCrunch) 🪪 A new underground website can now produce highly convincing, fake driver's licenses within minutes that are able to bypass online identity-verification processes. (404 Media) 🤷🏻♀️ Even Cory Doctorow, the author and journalist well known for his science fiction work and tech commentary, can be scammed. (Pluralistic) | | | | | | | | 5. 1 fun thing |  | | | Screenshot: @itsbelakboy/X | | | | This is also a Miley Cyrus stan newsletter. | | | | | | | | A message from Axios | | Your trusted source for policy news | | | | | | | | Axios Pro: Policy takes you into the halls of Congress, with an insider's look at the Hill and everything happening. Subscribe today. | | | | ☀️ See y'all Friday! Thanks to Scott Rosenberg and Megan Morrone for editing and Khalid Adad for copy editing this newsletter. If you like Axios Codebook, spread the word. |  | Your essential communications — to staff, clients and other stakeholders — can have the same style. Axios HQ, a powerful platform, will help you do it. | | | | | | Axios thanks our partners for supporting our newsletters.
Sponsorship has no influence on editorial content. Axios, 3100 Clarendon Blvd, Arlington VA 22201 | | | You received this email because you signed up for newsletters from Axios.
To stop receiving this newsletter, unsubscribe or manage your email preferences. | | | Was this email forwarded to you?
Sign up now to get Axios in your inbox. | | | | Follow Axios on social media:    | | | | | |
No comments:
Post a Comment